Search 110+ free tools… (e.g. json, vpn, password) ⌘K
Link Tools Dereferer Hide Referrer Link URL Shortener Affiliate Cloaker PayPal Links PayPal DonationPayPal Links Privacy Tools Password Generator Cloudflare Resolver My Referrer Torrent Tools Magnet → Torrent Torrent → Magnet Torrent Editor Pirate Bay Proxies Movierulz Proxies ExtraTorrent Proxies Dev Tools Base64 Encoder Hash Generator HTTP Headers Disposable Email Checker Company Blog About Us Contact Anonymize Free
Security Tool

Subdomain Finder

Discover all subdomains of any domain using Certificate Transparency logs. See live DNS resolution status, first and last seen dates, and copy individual subdomains. Free, no signup required.

Try: github.com · cloudflare.com · netflix.com
How It Works
1️⃣
CT Log Query
Every SSL certificate issued for a domain is publicly logged. We query crt.sh for all certificates ever issued for your target domain.
2️⃣
Deduplication
Thousands of cert records are deduplicated into a clean list of unique subdomains with first and last seen dates.
3️⃣
DNS Resolution
Each subdomain is checked against Google DNS to determine whether it is currently live or inactive.
4️⃣
Results
A clean, searchable, sortable table — copy individual subdomains or export the full list as CSV.
What are Certificate Transparency logs?+
CT logs are public, append-only records of every SSL/TLS certificate issued by trusted Certificate Authorities. They are mandated by RFC 6962 and browser policies. Because HTTPS is now near-universal, CT logs capture the vast majority of real subdomains — typically 90–95% of active ones.
Why are some subdomains inactive?+
A subdomain may appear in CT logs because it had an SSL certificate issued in the past, but the DNS record has since been removed. These historical subdomains are still valuable — forgotten staging environments, old API endpoints and decommissioned services are common sources of security vulnerabilities.
Are there subdomains this tool might miss?+
Yes — subdomains that have never had an SSL/TLS certificate issued will not appear in CT logs. This includes HTTP-only subdomains and internal services using self-signed certificates. For comprehensive enumeration, combine CT log results with DNS brute-forcing using a wordlist.
Is this legal to use?+
CT log queries are entirely passive — you are querying public records that anyone can access. No requests are sent to the target domain. This is standard OSINT (open-source intelligence) reconnaissance. Always ensure you have authorisation before testing any discovered subdomains for vulnerabilities.
Why is there a 500 subdomain limit?+
Very large domains (Google, Microsoft, Amazon) can have hundreds of thousands of CT log entries. We cap results at 500 to keep the tool fast and practical. For comprehensive enumeration of large domains, command-line tools like Subfinder or Amass are more suitable.
🛡️
Your IP address and DNS queries are visible to your ISP. Protect your privacy with a trusted VPN — tested and recommended by Anonymiz.
See Recommended VPNs →

Related Tools

🌐
DNS Record Checker
Lookup A, MX, TXT, CNAME records
 🔍
WHOIS Lookup
Domain registration and owner info
 🛡️
IP Reputation Checker
Check if an IP is malicious
 🔒
SSL Certificate Check
Check SSL expiry and validity
 📡
HTTP Headers Check
Inspect HTTP response headers
 🤖
Robots.txt Checker
Test robots.txt crawl rules
Done!